Russian Personal Data Law Amended To Address Publicly Available Data And Fines

• Published date: 11 June 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: Hogan Lovells
• Author: Ms Natalia Gulyaeva, Julia Gurieva and Alla Gorbushina

March 2021 brought two significant amendments to Russia's Personal Data Law: one related to processing of publicly available personal data, and another increasing fines for violations of various data privacy requirements. This article provides a summary of the amendments.

Special requirements for processing publicly available personal data

Russia's Personal Data Law was amended with new requirements for the processing of publicly available personal data. The amendments came into force on 1 March 2021, except for one provision related to a new information system maintained by the Russian data protection authority (discussed below). According to Russian data protection authority there is no need to re-execute consents for personal data dissemination obtained in compliance with law before 1 March 2021.

The new requirements are intended to protect published personal data against uncontrolled distribution by creating a default presumption that publicly available personal data cannot be further disseminated by third-party readers. They also give data subjects the possibility to indicate which of their personal data may become publicly available and how the published data may be processed by third-party "readers."

Under the previous version of the Russian Personal Data Law, data operators (i.e., data controllers) could process personal data without a data subject's consent if the data was made available to an unlimited number of persons (i.e., published) by the respective data subject or upon the data subject's instruction. Effectively, this meant that published personal data, including personal data on the internet, could be collected and disseminated further by any business.

The amendments have changed this approach significantly. First, they introduced a new category of personal data - "personal data made publicly available" - defined as personal data to which an unlimited number of persons may have access based on a data subject's specific consent for dissemination of the data ("dissemination consent"). Second, the amendments establish special rules for processing of personal data made publicly available, in particular:

(a) A data operator cannot disseminate publicly available personal data without consent. In order to be effective, the dissemination consent must be obtained separately from other types of consents and contain a clear statement that dissemination is allowed by data subject. Under no circumstances may a data subject's silence or inaction be...